The Ubuntu guided installer is great, in some ways. It offers you the opportunity to use full-disk encryption which certainly made my day a lot better when I had my laptop stolen. That said, it's slightly problematic: I very much like to separate out my partitions: I want my /home/ mount to be on a different partition than the root filesystem for the obvious reason that it facilitates re-installs.

However, even if you have the same passphrase set on each of the partitions, the boot-time cryptsetup system will ask you for multiple passphrases. The way around this is to setup the following system. LUKS allows a file to act as a key that will automatically unlock a device. If we store this key on a LUKS encrypted partition, we can simply unlock that first partition and the key can then be used to unlock other partitions.

The way that I achieved this was to follow a modified version of Mark Loiseau's excellent guide on encrypting using aes-xts-plain64. I'm going to replicate parts of this here in case his site goes down. Please note that I disclaim any responsibility if this messes up your system. You need a good level of tech competence to do this and I cannot be responsible for any errors in what's pasted below. I have, however, set this up successfully on my system.

Step 1

Download yourself an Ubuntu Desktop image and boot into the live environment. Use Gparted to setup the basic sizes of the partitions that you want. From there, drop to a root terminal (sudo -i) and then:

This generates a keyfile consisting of random characters and adds it to the home partition as an allowed unlock method.

Step 5

The penultimate step is to wire this all together in /etc/fstab and /etc/crypttab. First of all, ascertain the ids of the devices by running "sudo blkid" outside of the chroot. Note down the UUIDs for all the relevant partitions.

Now, inside the chrooted shell edit /etc/fstab ("sudo nano /etc/fstab") and you should end up with something like this:

{% highlight bash %}
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
#
/dev/mapper/crypt / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=e4ef3f23-cd60-4d84-a8d2-b6004a26d055 /boot ext4 defaults 0 2
/dev/mapper/crypthome /home ext4 defaults 0 2
# swap was on /dev/sda2 during installation
UUID=cbab5539-3754-4f95-b90f-cf75d2094267 none swap sw 0 0
{% endhighlight %}